Investigation View

Investigation View

The Investigation View window is accessible using the Investigation View button () in the Advanced Data tab under Event Viewer. It helps understand the flow of activity events during Threat Hunting with a dynamic and interactive graphical view of the activity events details: source, action and target. The graphical view provides the ability to add more activity events to the graph and show the relationship and timeline of the occurrence of those activities, such as the following:

All actions performed by a given process
All files the process has created or updated
All IPs the process has initiated communication with

It also allows you to interactively view a chain of activity events in the following ways:

Browse between the various processes involved in the chain
See all activity events related to one node in the Security Event graph
Filter activity events table to include or exclude a specific value
Switch and see the graph chain on the other involved endpoints while analyzing security event on one device

You can also perform certain actions, such as:

Retrieve or remediate files
Connect to a device or isolate a device
Move a device to high security group

See the graph chain on the other involved endpoints while analyzing security event on one device

The Investigation View is not available to IT users (see Users). Read-Only user can only view and manipulate graphs but cannot remediate or perform other actions.
The view adds visualization and interaction of existing data that is already available in other non-graphical and non-interactive forms without creating or generating any additional data.

The following figure illustrates the various components of an Investigation View window launched from the Advanced Data tab under Event Viewer, which has the window title "Investigation + event ID".

Compared with the investigation view window launched from the Details Pane under Threat Hunting, this view includes the following additional functionality:

Advanced threat hunting and investigation capabilities, such as exporting the graph as JSON, raw data items navigation graph, and Stacks view.
General event details in the first row, such as classification and incident response.

Component

Description

General details about the event, such as event ID, process name, classification, IP address, and incident responses.

Use the Export button () to save files for sharing or record reasons:
- JSON—Export the event data as a JSON file.
- SVG—Export the investigation view graph as an SVG file. This is the only option to save a graph that includes dynamic changes based on the default graph view, such as adding processes.
Use the following buttons, accessible by clicking the eclipses on the right of the device name, to connect to a device, isolate a device, or move the device to high security group.

Graphical flow diagram with a process tree that you can build according to your investigation needs, from left to right and top to bottom. The tree is also interactive, which means you can click on a specific component to drill down for more details or contextual actions.
A	Node—Source of an activity or event, which can be a process, an endpoint, a thread or service, or another security product. Nodes are represented by boxes with icons for the activity type, some with descriptions under the boxes. Click on a node to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific node. Click the Collapse () or Expand () icon in the right of a node icon to show or hide all the downstream nodes, edges, and leaves. Right-click a node to perform actions allowed on the node, including any custom actions you defined. These action buttons also appear in the Details Pane, which is available on the right after you click the node. The list of available options varies by node type. The following is an example list of actions for a process node.
B	Edge—Activity event type or action represented by a curved line with an arrow. An edge can be one activity event/action or an aggregation of several. The numbered arrows indicate the sequence of actions and specify the action that was performed, such as Process Creation, Socket Close, Block and so on. Multiple operations performed between two processes are represented by multiple arrows between them. Edges that triggered the event are indicated in red. Click on an edge to display the Details pane on the right and the Stacks view on the bottom with contextual information about that specific edge. Edges may also have icons below them indicating classification or violation of certain rules and MITRE & Behavior models. Click on an icon for more detailed information.
C	Leaf—Target of activity event of type File, Registry Key, Registry Value, Network components (IP/DNS/URL). A leaf can also be a group of artifacts. For example, all the files created or modified by a process. Leaves have a round shape (). Click on a leaf to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific leaf. Right-click a leaf to perform actions allowed on the leaf, including any custom actions you defined. These action buttons are also available in the Details Pane, which appear on the right after you click the leaf. The list of available options varies by leaf type. The following is an example list of actions for a network leaf:
D	Hint—Categorized groups of activities related to a node that are not part of the main chain of activity events and thus not represented in the graphical diagram. Click a node to show the number of relevant activities. The hints no longer display after you move the selection to another node or edge. Click the Expand () or Collapse () icon near a leaf hint to show or hide the node or leaf list of that type. Right-click the type name of a hint and select Add to graph to add the relevant leaves to the graph or select View activity event to pull out the Activity events tables for this specific file type. The Add to graph option is unavailable when the number of hints exceeds 500, in which case you can only choose to view the activity event.
E	Use the Rules or MITRE & Behavior legends to highlight the corresponding icons below relevant edges in the diagram.
F	Use the Zoom In (), Zoom Out (), and Zoom To Fit () buttons to adjust the graph window size. Use the Reset () button to restore the graph to the default view. Use the Undo () button to cancel an operation.
G	Navigate between the graphs of the various raw data items for a security event using the right and left arrows.

Details pane for the selected node, edge, or leaf where you can view details of the activity, action, or target, and perform common actions on a node or leaf, such as retrieving a file, remediating devices upon malware detection, or adding an application to the Application Control policy blocklist. The actions can also be performed by right-clicking a node or leaf and selecting the option from the menu.

For specific leaf types, this pane also includes an Insights tab which allows you to run queries to retrieve analytics data, such as the number of communicating processes or devices of a certain IP. The Insights options are also available from the right-click menu of those leaf types.

When a node or leaf is selected, the contextual Activity events tables appears at the bottom, which is organized by tabs of activity types. Drag the top edge of the table up for a fuller view of the table. Activities with a number at the front of the row are already in the graph and the number matches the one in the graph.
- To add activities to the graph, select the corresponding rows and click Add to graph ().
- To customize the columns to display in the table, click Customize ().
- To search for a specific activity or event, enter keywords in the search bar on the top right corner ().
- To filter the results in the Activity Events table to include or exclude a specific value, use the green plus () and red minus () icons that appear when you hover over the value. Multiple filters are supported. To delete a filter, click the cancel icon that appear when you hover over the filter on the top-left of the table.
When an edge is selected, the Stacks view appears at the bottom instead.

Investigation View

The Investigation View window is accessible using the Investigation View button (

) in the Advanced Data tab under Event Viewer. It helps understand the flow of activity events during Threat Hunting with a dynamic and interactive graphical view of the activity events details: source, action and target. The graphical view provides the ability to add more activity events to the graph and show the relationship and timeline of the occurrence of those activities, such as the following:

All actions performed by a given process

All files the process has created or updated

All IPs the process has initiated communication with

It also allows you to interactively view a chain of activity events in the following ways:

Browse between the various processes involved in the chain

See all activity events related to one node in the Security Event graph

Filter activity events table to include or exclude a specific value

Switch and see the graph chain on the other involved endpoints while analyzing security event on one device

You can also perform certain actions, such as:

Retrieve or remediate files

Connect to a device or isolate a device

Move a device to high security group

See the graph chain on the other involved endpoints while analyzing security event on one device

The Investigation View is not available to IT users (see Users). Read-Only user can only view and manipulate graphs but cannot remediate or perform other actions.
The view adds visualization and interaction of existing data that is already available in other non-graphical and non-interactive forms without creating or generating any additional data.

Compared with the investigation view window launched from the Details Pane under Threat Hunting, this view includes the following additional functionality:

Advanced threat hunting and investigation capabilities, such as exporting the graph as JSON, raw data items navigation graph, and Stacks view.
General event details in the first row, such as classification and incident response.

Component

Description

General details about the event, such as event ID, process name, classification, IP address, and incident responses.

Use the Export button () to save files for sharing or record reasons:
- JSON—Export the event data as a JSON file.
- SVG—Export the investigation view graph as an SVG file. This is the only option to save a graph that includes dynamic changes based on the default graph view, such as adding processes.
Use the following buttons, accessible by clicking the eclipses on the right of the device name, to connect to a device, isolate a device, or move the device to high security group.

Graphical flow diagram with a process tree that you can build according to your investigation needs, from left to right and top to bottom. The tree is also interactive, which means you can click on a specific component to drill down for more details or contextual actions.
A	Node—Source of an activity or event, which can be a process, an endpoint, a thread or service, or another security product. Nodes are represented by boxes with icons for the activity type, some with descriptions under the boxes. Click on a node to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific node. Click the Collapse () or Expand () icon in the right of a node icon to show or hide all the downstream nodes, edges, and leaves. Right-click a node to perform actions allowed on the node, including any custom actions you defined. These action buttons also appear in the Details Pane, which is available on the right after you click the node. The list of available options varies by node type. The following is an example list of actions for a process node.
B	Edge—Activity event type or action represented by a curved line with an arrow. An edge can be one activity event/action or an aggregation of several. The numbered arrows indicate the sequence of actions and specify the action that was performed, such as Process Creation, Socket Close, Block and so on. Multiple operations performed between two processes are represented by multiple arrows between them. Edges that triggered the event are indicated in red. Click on an edge to display the Details pane on the right and the Stacks view on the bottom with contextual information about that specific edge. Edges may also have icons below them indicating classification or violation of certain rules and MITRE & Behavior models. Click on an icon for more detailed information.
C	Leaf—Target of activity event of type File, Registry Key, Registry Value, Network components (IP/DNS/URL). A leaf can also be a group of artifacts. For example, all the files created or modified by a process. Leaves have a round shape (). Click on a leaf to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific leaf. Right-click a leaf to perform actions allowed on the leaf, including any custom actions you defined. These action buttons are also available in the Details Pane, which appear on the right after you click the leaf. The list of available options varies by leaf type. The following is an example list of actions for a network leaf:
D	Hint—Categorized groups of activities related to a node that are not part of the main chain of activity events and thus not represented in the graphical diagram. Click a node to show the number of relevant activities. The hints no longer display after you move the selection to another node or edge. Click the Expand () or Collapse () icon near a leaf hint to show or hide the node or leaf list of that type. Right-click the type name of a hint and select Add to graph to add the relevant leaves to the graph or select View activity event to pull out the Activity events tables for this specific file type. The Add to graph option is unavailable when the number of hints exceeds 500, in which case you can only choose to view the activity event.
E	Use the Rules or MITRE & Behavior legends to highlight the corresponding icons below relevant edges in the diagram.
F	Use the Zoom In (), Zoom Out (), and Zoom To Fit () buttons to adjust the graph window size. Use the Reset () button to restore the graph to the default view. Use the Undo () button to cancel an operation.
G	Navigate between the graphs of the various raw data items for a security event using the right and left arrows.

When a node or leaf is selected, the contextual Activity events tables appears at the bottom, which is organized by tabs of activity types. Drag the top edge of the table up for a fuller view of the table. Activities with a number at the front of the row are already in the graph and the number matches the one in the graph.
- To add activities to the graph, select the corresponding rows and click Add to graph ().
- To customize the columns to display in the table, click Customize ().
- To search for a specific activity or event, enter keywords in the search bar on the top right corner ().
- To filter the results in the Activity Events table to include or exclude a specific value, use the green plus () and red minus () icons that appear when you hover over the value. Multiple filters are supported. To delete a filter, click the cancel icon that appear when you hover over the filter on the top-left of the table.
When an edge is selected, the Stacks view appears at the bottom instead.

Administration Guide

Investigation View

Investigation View